PDF(24.0 KB) View with Adobe Reader on a variety of devices
ePub(97.2 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(77.0 KB) View on Kindle device or Kindle app on multiple devices
Updated:December 11, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure destination-based Network Address Translation (NAT) in service VPN on vEdge router.
Cisco recommends that you have knowledge of Cisco SD-WAN.
The information in this document is based on these software and hardware versions:
vSmart Controller with an 18.3 software version.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
The network diagram is shown here.
The main idea here that users of site 50 (vedge1) can reach to host 192.168.40.20 at another side via IP-address 192.168.140.20.
This is analog of this IOS configuration statement:
ip nat outside source static 192.168.40.20 192.168.140.20
vsmart1# show running-config policy data-policy DNAT
nat pool 31
vsmart1# show running-config apply-policy site-list site_50
data-policy DNAT all
1. Check that translation is there in a corresponding service VPN.
vedge1# show ip nat interface nat-vpn 40
FILTER FILTER IP
VPN IFNAME MAP TYPE FILTER TYPE COUNT COUNT IP POOLS
40 natpool31 endpoint-independent address-port-restricted 0 0 192.168.140.5/32 1
2. Check that policy applied to vEdge from vSmart.
vedge1# show policy from-vsmart
from-vsmart data-policy ENK_NAT
nat pool 31
from-vsmart lists vpn-list CORP
If destination-based NAT does not work, then the important thing here is that you must ensure that the IP address of the NAT pool is reachable from the destination host. This is important because as per vEdge router destination-based NAT implementation source IP address is also NATed to the IP address of the pool. So, for example, based on sample config destination address 192.168.140.20 is replaced with real IP-address 192.168.40.20, but the address of the host from 192.168.50.0/24 subnet at site 50 is also NATed to 192.168.140.5, hence you must have a route back to this address anyway or reply packets won't reach source host (requester). This can be achieved with the advertisement for the NAT pool subnet. In this example, the subnet consists of just one address and advertised via Overlay Management Protocol (OMP).
Here is you can check that route is presented on vEdge1 at the remote site:
vedge2# show ip routes vpn 40 omp | i 192.168.140.5
40 192.168.140.5/32 omp - - - - 192.168.30.5 mpls ipsec F,S